When it comes to managing a healthy alerting system for your security operations center (SOC), tuning false positives is only half the battle. An often overlooked aspect of a healthy alerting system is making sure that critical detections which rarely fire haven’t simply broken completely without anybody noticing.
At GitLab, the Signals Engineering team tests detections by simulating real maliciou...
The WATCH framework represents a significant evolution in security operations, addressing a fundamental vulnerability in detection systems: the silent failure of rarely triggered alerts. By automating the simulation of malicious behavior, GitLab shifts from a reactive posture—where broken detections are only discovered during incidents—to a proactive one, where failures are caught before they matter. This approach is particularly valuable in complex environments where log schema changes, SIEM up...